5.4. Disabling the Invoker Servlet
One reason for setting up a custom URL for a servlet or JSP page is so that you can register initialization parameters to be read from the init (servlets) or jspInit (JSP pages) methods. However, as discussed in Section 5.5 (Initializing and Preloading Servlets and JSP Pages), the initialization parameters are available only when the servlet or JSP page is accessed by means of a custom URL pattern or a registered name, not when it is accessed with the default URL of http://host/webAppPrefix/servlet/ServletName. Consequently, you might want to turn off the default URL so that nobody accidentally calls the uninitialized servlet. This process is sometimes known as disabling the invoker servlet, since most servers have a standard servlet that is registered with the default servlet URLs and simply invokes the real servlet that the URL refers to.
There are two main approaches for disabling the default URL:
Remapping the /servlet/ pattern in each Web application.
Globally turning off the invoker servlet.
It is important to note that, although remapping the /servlet/ pattern in each Web application is more work than disabling the invoker servlet in one fell swoop, remapping can be done in a completely portable manner. In contrast, the process for globally disabling the invoker servlet is completely machine specific, and in fact some servers (e.g., ServletExec) have no such option. The first following subsection discusses the per-Web-application strategy of remapping the /servlet/ URL pattern. The next two subsections provide details on globally disabling the invoker servlet in Tomcat and JRun.
Remapping the /servlet/ URL Pattern
It is quite straightforward to disable processing of URLs that begin with http://host/webAppPrefix/servlet/ in a particular Web application. All you need to do is create an error message servlet and use the url-pattern element discussed in the previous section to direct all matching requests to that servlet. Simply use
<url-pattern>/servlet/*</url-pattern>
as the pattern within the servlet-mapping element.
For example, Listing 5.5 shows a portion of the deployment descriptor that associates the SorryServlet servlet (Listing 5.6) with all URLs that begin with http://host/webAppPrefix/servlet/. Figures 5-7 and 5-8 illustrate attempts to access the TestServlet servlet (Listing 5.1 in Section 5.3) before (Figure 5-7) and after (Figure 5-8) the web.xml entries of Listing 5.5 are made.
Figure 5-7. Successful attempt to invoke the TestServlet servlet by means of the default URL. The invoker servlet is enabled.
Figure 5-8. Unsuccessful attempt to invoke the TestServlet servlet by means of the default URL. The invoker servlet is disabled.
All compliant servers yield the results of Figures 5-7 and 5-8. However, ServletExec 4.0 has a bug whereby mappings of the /servlet/* pattern are ignored (other mappings work fine). Furthermore, since ServletExec has no global method of disabling the invoker servlet, in version 4.0 you are left with no alternative but to leave the invoker servlet enabled. The problem is resolved in ServletExec version 4.1.
|
Listing 5.5. web.xml (Excerpt showing how to disable default URLs)
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE web-app PUBLIC
"-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
<!-- ... -->
<servlet>
<servlet-name>Sorry</servlet-name>
<servlet-class>moreservlets.SorryServlet</servlet-class>
</servlet>
<!-- ... -->
<servlet-mapping>
<servlet-name>Sorry</servlet-name>
<url-pattern>/servlet/*</url-pattern>
</servlet-mapping>
<!-- ... -->
</web-app> |
Listing 5.6. SorryServlet.java
package moreservlets;
import java.io.*;
import javax.servlet.*;
import javax.servlet.http.*;
/** Simple servlet used to give error messages to
* users who try to access default servlet URLs
* (i.e., http://host/webAppPrefix/servlet/ServletName)
* in Web applications that have disabled this
* behavior.
*/
public class SorryServlet extends HttpServlet {
public void doGet(HttpServletRequest request,
HttpServletResponse response)
throws ServletException, IOException {
response.setContentType("text/html");
PrintWriter out = response.getWriter();
String title = "Invoker Servlet Disabled.";
out.println(ServletUtilities.headWithTitle(title) +
"<BODY BGCOLOR="#FDF5E6">
" +
"<H2>" + title + "</H2>
" +
"Sorry, access to servlets by means of
" +
"URLs that begin with
" +
"http://host/webAppPrefix/servlet/
" +
"has been disabled.
" +
"</BODY></HTML>");
}
public void doPost(HttpServletRequest request,
HttpServletResponse response)
throws ServletException, IOException {
doGet(request, response);
}
} |
Globally Disabling the Invoker: Tomcat
The method you use to turn off the default URL in Tomcat 4 is quite different from the approach used in Tomcat 3. The following two subsections summarize the two approaches.
Disabling the Invoker: Tomcat 4
Tomcat 4 turns off the invoker servlet in the same way that I turned it off in the previous section: by means of a url-mapping element in web.xml. The difference is that Tomcat uses a server-specific global web.xml file that is stored in install_dir/conf, whereas I used the standard web.xml file that is stored in the WEB-INF directory of each Web application.
Thus, to turn off the invoker servlet in Tomcat 4, you simply comment out the /servlet/* URL mapping entry in install_dir/conf/web.xml, as shown below.
<!-- <servlet-mapping> <servlet-name>invoker</servlet-name> <url-pattern>/servlet/*</url-pattern> </servlet-mapping> -->
Again, note that this entry is in the Tomcat-specific web.xml file that is stored in install_dir/conf, not the standard web.xml file that is stored in the WEB-INF directory of each Web application.
Figures 5-9 and 5-10 show the results when the TestServlet (Listing 5.1 from the previous section) is invoked with the default URL and with the registered servlet name in a version of Tomcat that has the invoker servlet disabled. Both URLs are of the form http://host/webAppPrefix/servlet/something, and both fail. Figure 5-11 shows the result when the explicit URL pattern is used; this request succeeds.
Figure 5-9. TestServlet when invoked with the default URL in a server that has globally disabled the invoker servlet.
Figure 5-10. TestServlet when invoked with a registered name in a server that has globally disabled the invoker servlet.
Figure 5-11. TestServlet when invoked with a custom URL in a server that has globally disabled the invoker servlet.
Disabling the Invoker: Tomcat 3
In version 3 of Apache Tomcat, you globally disable the default servlet URL by commenting out the InvokerInterceptor entry in install_dir/conf/server.xml. For example, following is a section of a server.xml file that prohibits use of the default servlet URL.
<!-- <RequestInterceptor className="org.apache.tomcat.request.InvokerInterceptor" debug="0" prefix="/servlet/" /> -->
With this entry commented out, Tomcat 3 gives the same results as shown in Figures 5-9 through 5-11.
Globally Disabling the Invoker: JRun
In JRun 3.1, you disable the invoker servlet by editing install_dir/lib/global.properties and inserting a # at the beginning of the line that defines the invoker, thus commenting out the line. This is illustrated below.
# webapp.servlet-mapping./servlet=invoker
With these settings, JRun gives about the same results as shown in Figures 5-9 through 5-11; the only minor difference is that it gives 500 (Internal Server Error) messages for the first two cases instead of the 404 (Not Found) messages that Tomcat gives.